There are known cache mechanisms used for Web services capable of providing various contents ranging from static contents such as simply displayed Web pages to dynamic contents such as Java® Service Provider (JSP) pages. For example, such cache mechanisms used to provide Web services include a WebSphere Dyna cache. A prior known cache mechanism can have an improved responsibility by storing the results of previous executions and returning the previous execution results stored therein to a user rather than actually executing a service object when the user accesses a Web service again.
It may be often preferable for a Web service provider to limit user access to its service depending on the user and there are also known access control mechanisms to limit access according to the user's access authority. More specifically, for example, when a Web site is built to provide a bank's ATM services, a user can be classified as a Gold, Silver, or Bronze member (hereinafter referred to as access authority) according to the user's credit or long-term deposit to take advantage of available high-value-added services. In this case, a Bronze member is an ordinary customer and Silver and Gold member users of higher grades can take higher-value services. In addition to usual deposit operations, Web services as described above may include providing stock (weather) information differentiated according to the access authority, entertainment information, and real estate information.
Specifically, the above-described access limiting features used in providing Web services according to the user's access authority may include the HTTP Basic Auth and the EJB access control mechanism which can control access for individual methods based on access authority.
FIG. 21 schematically shows the process of a Web service providing system which includes a prior access control mechanism. FIG. 21 is a schematic drawing for showing the process of the prior access control mechanism. The access control mechanism in the Web service providing system shown in FIG. 21 is provided for a server unit 102 which provides Web services and the user accesses the server unit 102 from a user terminal 104 such as a computer, a cellular telephone, or a PDA through a network 106 such as a wired network, a wireless network, or a composite network which contains both of them. Access authorization for the server unit 102 is usually accomplished by combining a public key and a private key, that is, code for user identification (hereinafter referred to as user ID) and a password. When the server unit 102 performs the user authentication, an application request sent by the user, for example, an object call request to make a request to call an application called “Weather” which provides weather forecast information is provided to the server unit 102.
The application Weather can also allow for calling a method RoughWF( ) to provide the user with rough weather forecast according to the user's access authority, a method WeatherForecast( ) to provide more diversified and high-value-added information, and other methods. The user is granted access authority of Gold, Silver, or Bronze as described above, for example, under a contract with a service provider. In the prior art shown in FIG. 21, the user having Silver access authority accesses the server unit 102 from the user terminal 104. The user acquires an execution result corresponding to the user's Silver access authority through a method Weather getRoughWF( ) and the execution result is provided to the user through a browser software.
In the Weather application, a Gold user is also permitted to call another method getWeatherForecast( ) and in addition, to call still another method getDetailedInfo within the first method, so that the user can have access to higher-value Web services. FIG. 21 shows that only a user having Gold access authority can acquire the data of getDetailedInfo( ) and that the user having Silver access authority cannot receive, for example, an execution result from the method getDetailedInfo( ).
As shown in FIG. 21, it is assumed that the methods getRoughWF( ) and getWeatherForecast( ) are accessible to the user having Gold or Silver access authority. It should be noted that even the user who has access to a first method does not always have access to a second method to be called within the first method. In FIG. 21, getWeatherForecast( ) is an example of the first method and the method getDetailedInfo( ) to be called within the method getWeatherForecast( ) is not accessible to the user of Silver access authority. Therefore, if getDetailedInfo( ) is called to return an execution result, the execution result from the method getWeatherForecast( ) must not be returned to the user of Silver access authority. On the other hand, the method getRoughWF( ) can return its execution result to the user of Silver access authority, since any method which is not accessible to the user having Silver access authority is not subsequently called.
FIG. 22 shows other disadvantages of the prior access control mechanism shown in FIG. 21. In FIG. 22, similarly to FIG. 21, the user accesses the server unit 102 from the user terminal 104 through the network 106. FIG. 26 shows an access control feature 108 contained in the server unit 102 and, for example, if the user of Silver access authority enters into the server unit 102 a request which is accessible to a Gold user only, the access control feature 108 inhibits the execution of the request to prevent the user of Silver access authority from improperly accessing any service which requires Gold access authority.
On the other hand, the user having Silver access authority can acquire an execution result from a method Weather getRoughWF( ) which is accessible to the user of Silver access authority. The user of Silver access authority can acquire such authorized data but there will be a time delay until the data is displayed on browser software, since the server unit 102 must perform access control each time any method which requires access control is called for execution. These disadvantages may depend on the server unit's ability and process complexity and thus, they could not be improved even with wide spread of ADSL, optical communication, and other broadband communication technologies or higher communication speeds achieved between the server unit and the user terminal.
In order to improve the prior disadvantages described above, a cache mechanism can be introduced into the server unit 102. FIG. 23 shows a system wherein a cache mechanism is introduced in addition to the prior access control mechanism.
The system shown in FIG. 23 is configured to contain a cache mechanism 110 in the server unit 102 and to store an execution result from an object called by an object call request transmitted by the user in the cache mechanism 110. When the server unit 102 comprises the cache mechanism 110 and the access control mechanism 108 as shown in FIG. 23, the user can exercise proper access authority for a service which requires the access authority to acquire an execution result. In addition, since the execution result acquired by the user is stored in the cache mechanism 110, the user who requests the same object call as that previously requested can easily acquire the previous execution result stored in the cache mechanism. Subsequent processes can be also easily executed based on the execution result from the cache mechanism. However, a system without any cache mechanism has been adopted for a Web service involving prior access control from the reasons described later.
More specifically, consider that both the cache mechanism 110 and the access control mechanism 108 are used with the server unit 102 as shown in FIG. 23. If the cache mechanism 110 permits the user access irrespective of the user's access authority, a problem arises in which an execution result stored in the cache mechanism will be provided to the user who requests the same service, irrespective of the user's access authority. When such access to the cache mechanism is permitted without access authority, in spite of access control for a Web service, high-value-added information or user awards which must be otherwise provided according to the class of access authority may be inadvertently provided to a user having no access authority through the cache mechanism, resulting in loss of effectiveness and attractiveness of high-value-added Web services.
Thus, there will be a need to control access to the cache mechanism with respect to the user's access authority. However, if the user's access authority is determined for each method called by an object call request from the user and then access control is performed on the cache mechanism and on a Web service simultaneously, the process may become very time-consuming. This is against the purpose of the design for providing to the user a fast display of execution results by means of the cache mechanism. In addition, it is preferable to be able to easily avoid any high-value-added information leakage caused by access to the cache mechanism when the user's access authority or the service provider's access conditions are changed. Therefore, from the viewpoint of improved capabilities of providing Web services to the user, it is highly desired that the access control and cache mechanisms are used simultaneously to provide as many Web services as possible with a high degree of reliability.
The present invention is devised in view of the disadvantages of the prior art described above and it is an object of the present invention to provide a Web service providing system which can provide high-value-added Web services as quickly as possible with a high degree of reliability. It is another object of the present invention to provide a server unit which can provide the above-described Web services. It is still another object of the present invention to provide a server unit control method which can cause a computer system to function as the above-described server unit. It is still another object of the present invention to provide a program to cause a computer system to function as the above-described server unit and a computer-readable recording medium on which said program is recorded.